HOWTO open an electronic hotel-room lock without a key

Cody Brocious -- a Mozilla dev and security researcher -- presented a paper on a vulnerability in hotel-door locks last month at Black Hat. Many electronic hotel door-locks made by Onity have a small DC power-port that also supplies data beneath them. Brocious showed that if he plugs an Arduino into these locks, reads out the 24-bit number sitting there, and re-transmits it to them, some appreciable fraction of them (but not all of them) spring open.

Testing a standard Onity lock he ordered online, he’s able to easily bypass the card reader and trigger the opening mechanism every time. But on three Onity locks installed on real hotel doors he and I tested at well-known independent and franchise hotels in New York, results were much more mixed: Only one of the three opened, and even that one only worked on the second try, with Brocious taking a break to tweak his software between tests.
Even with an unreliable method, however, Brocious’s work–and his ability to open one out of the three doors we tested without a key–suggests real flaws in Onity’s security architecture. And Brocious says he plans to release all his research in a paper as well as source code through his website following his talk, potentially enabling others to perfect his methods.
Brocious’s exploit works by spoofing a portable programming device that hotel staff use to control a facility’s locks and set which master keys open which doors. The portable programmer, which plugs into the DC port under the locks, can also open any door, even providing power through that port to trigger the mechanism of a door lock in which the battery has run out.

Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Arduino • black hat • Business • Gadgets • makers • scholarship • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

xian

What’s the point of releasing his research as well as source code here? Why not work with the manufacturer of these locks instead of placing the hotel staying public in danger? In other words, christ, what an asshole…
- Jeremy Mesiano-Crookston
  
  He’s actually an employee of a company trying to push into the hotel room lock market. So his publishing the source code is most definitely a calculated move to smash his opposition’s reputation.
  - http://twitter.com/daeken Cody Brocious
    
    For what it’s worth, UPM is dead in all but name; the plan is to release all source for the complete replacement system and turn it into a real open source project, but we’re still planning how to do that effectively. I’ll be blogging about it in the future.
    - Jeremy Mesiano-Crookston
      
      You know what, that’s absolutely fair. I has previous assumed that your actions were on the behalf of an employer who was purely private-sector.
      
      An open source project finding security weaknesses is something I can understand and support. Please ignore all my other comments.
  - xian
    
    The linked article says he’s a former employee of a company that was trying to make a competing product, but ended up instead selling this hack to the Locksmith Institute.
  - http://www.openbuddha.com/ Al Billings
    
    Jeremy, Mozilla isn’t trying to “push into the hotel room lock market.”
- theophrastvs
  
  proof by blatant assertion: the majority of companies contacted by a “hacker” warning them of a security hole in their product respond not by sensibly fixing the problem (and thanking the “hacker” for coming to them first and thus doing research for them) but instead lawyering-up to produce threats and gag-orders.
  
  whereas, this way this (technically cunning) guy might actually help to protect your kit in your hotel.
  - Jeremy Mesiano-Crookston
    
    Again…. this was pretty much reputation sabotage conducted by one hotel lock company on another. This isn’t exactly noble.
    - theophrastvs
      
      who said anything about being noble? assume this chap had nothing but the foulest self-serving intent, if you like. but your original comment assumed he is “asshole” for not going to the manufacturer first and instead presenting his crack to the public at large, to which i provided one tenable reason that strategy might not work out so well in general.
      
      and i still think it’s a technically cunning crack to notably poor engineered security. *i* wouldn’t have thought of trying that.
- http://mikeoshea.net/ somnambulist
  
  It’s been fairly well established that well known companies don’t work with random 3rd party hackers that approach them.
  
  Also, he spent years on this, you should be appreciative of his time instead of calling him an asshole.
  
  Why? Because their are 10 more guys that would have immediately sold this for illegal reasons and not gone public at all. The guys that go public are heros, not assholes.
  - xian
    
    That’s an awful lot of speculation you’ve got going there. All I know is that once he releases his source code into the wild, the bar to breaking and entering into hotel rooms will be drastically lowered and will most likely be exploited by people without the know how or patience to figure out this on their own.
  - oasisob1
    
    “Why? Because their are 10 more guys that would have immediately sold this for illegal reasons and not gone public at all.”
    
    Who says the 10 more guys didn’t already do just that?
- http://profiles.yahoo.com/u/RA4AVVHBDO7ZTD3ANU6CLVQZPI pierre
  
  He’s a black hat, the entire point is mayhem and destruction. Which is good in my opinion.
- http://profiles.google.com/stephen.schenck Stephen Schenck
  
  Because reading about security vulnerabilities is AWESOME. God, I miss classic Phrack.
http://botaday.com mmrtnt

The phone call is coming from inside the hotel room!
http://www.jimdraws.com Thorzdad

According to Brocious himself, it took him three years to reverse-engineer the system to achieve this result. This definitely wasn’t a quick hack.
- http://twitter.com/daeken Cody Brocious
  
  Indeed, though it’s a bit complicated. While I worked on this for 3 years, only maybe a solid year to a year and a half was spent reversing, with the rest of it being spent on building our actual product (a web-based replacement for the Onity front desk system). The lock protocol stuff was the last bit of it, and it was maybe 6 months of part-time work, including the time to teach myself the low-level hardware aspects of it.
  
  It’s been an interesting journey; gotta find something new to take apart.
Jeremy Mesiano-Crookston

Haha oh my GAWRD!

Do you mean to say that with a lot of effort, highly technical and specialized equipment, and years of training in systems bypassing, an expert in computers and software can hack open an electronic, software based lock some of the time?

Good on him for finding it, but the fear in the linked article is a little much.

Edit: after getting to the end of the linked article, it’s super hilarious:

Brocious says he stumbled upon the the flaws in Onity’s locks while working as the chief technology officer for a startup called Unified Platform Management Corporation, which sought to compete with bigger players in the hotel lock industry by creating a universal front end system for hotels that used common lock technologies. Brocious was hired to reverse engineer hotel locks, and Onity was his first target. The discovery of Onity’s security vulnerabilities was entirely unintentional, he says.

Priceless! So this is the “black hat”? A “mozilla dev and security researcher”, who is actually an employee of a company working to reverse engineer locks and find vulnerabilities in them so that his employer could use those vulnerabilities to push them out of the market. And his desire to publish all vulnerabilities online, INCLUDING the source code to his device, thus making his competitors’ locks vulnerable is somehow something noble and just?

This is hilarious industry sabotage, dressed up with the language of hackers. And a conspicuous neckbeard.
- http://twitter.com/daeken Cody Brocious
  
  > A “mozilla dev and security researcher”, who is actually an employee of a company working to reverse engineer locks and find vulnerabilities in them so that his employer could use those vulnerabilities to push them out of the market. And his desire to publish all vulnerabilities online, INCLUDING the source code to his device, thus making his competitors’ locks vulnerable is somehow something noble and just?
  1) The goal was not to find vulnerabilities, but to figure out how the locks worked so we could interoperate with them.
  2) UPM is — for all intents and purposes — dead. Onity isn’t a competitor of ours, since we aren’t doing business any longer. In fact, everything is being open sourced in the nearish future (we’re trying to figure out the details and not leave our customers without support).
  
  Whether or not you think this work is noble and/or just (I personally wouldn’t use either of those words for this), it’s definitely not industry sabotage. I have nothing to personally gain from this; had I released this info two years ago, I certainly couldn’t have said the same.
http://www.facebook.com/profile.php?id=1911231 Maureen Geoghegan

I’ve worked with Saflok’s and VingCard’s RFID and magstrip readers. The newer models hotels are now installing don’t allow a plug-in programmer anymore. The lock programming devices communicate wirelessly with the locksets, and you have to be standing right in front of them. This means that you can’t give it a jump of power from the programming device to open the door.

However, the study seems to be looking more into the fact that you can trick the device into thinking you’re using a master key, so this is still a possibilty.
- jandrese
  
  That’s meaningless if it’s just the same protocols over the wireless connection instead of the physical port. In fact it’s worse because someone hanging out near a door for awhile with a concealed box is much less suspicious than the guy plugging some device into it.
  
  It’s possible the companies have improved the security at the same time, but I would be completely unsurprised if most of their security hinges on being a proprietary protocol.
technogeekagain

Note that the port in question is INSIDE the door. Which would mean you’d have to navigate your probe wire around the closed door and to that port.

There are easier vulnerabilities to exploit.

This is interesting, but not a significant security reduction as it stands… and I’m not convinced it can be turned into one. (He says, speaking as both programmer and locksmith.)
- http://twitter.com/daeken Cody Brocious
  
  The port is on the outside, just below the battery panel, on the bottom of the lock. It’s what the hotel staff use to reprogram and open the locks themselves; no room access required.
- http://www.jjsaul.com Jim Saul
  
  That’s what I thought at first glance, but I’m pretty sure it’s on the outside in the photo above… on the same side as the card reader. I think the hacker is on the room side of the door just for the sake of the photo.
nixiebunny

Cody, did you buy a programmer from Onity, or reverse-engineer its functionality using only the door lock?
- http://twitter.com/daeken Cody Brocious
  
  I got a portable programmer (and all the rest of my hardware — locks, encoders, etc) from a third party vendor; Onity won’t sell random bits of hardware to people AFAIK, and it’d be quite expensive either way.
  
  Every bit of reversing I did was black box, though; sit on the wire and capture data, then start emulating one side or the other. Much simpler in this case than pulling firmware and going down to the code level.
  
  (Also, I can’t tell you how nice it is to see a technical question mixed in here. So much more fun to answer than everything else.)
bumblebeeeeeee

Not sure the point.

If someone wanted to gain entry to a hotel room, well, that’s easy in several other methods.
http://profile.yahoo.com/E3F756JAK3CIY5EOQ55I56C7FA rusty

Those hotel locks are much more easily defeated with an ‘L’ shaped piece of stiff wire and a semi-flexible wire cable ‘noose’ attached. I watched a maintenance guy do it to get into a room when his master key-card and laptop access attempts were unsuccessful.
http://twitter.com/Bestpaperboy Michael Chazin

Once checked into a new hotel on the beach in Malibu that had only been open a week. Dropped off bags in the room and went downstairs for lunch. When I came back up my card wouldn’t open the door. Called downstairs and someone came up and tried every master card, etc and couldn’t get the door to open. Maintenance had to come up and take the door off its hinges. True story.
- oasisob1
  
  How do you take the door off the hings from the outside? They’re normally on the inside.
http://latentraveningferocity.blogspot.com/ latent_ravening_ferocity

I work in a hotel with these kinds of locks. Onity sent us an e-mail promising a firmware update in the near future. So I’m looking forward to reprogramming every lock in the hotel one-by-one.
- http://twitter.com/daeken Cody Brocious
  
  Iiiiinteresting. I’m looking forward to seeing what they come out with; I never found a functional programming interface on any of the circuit board revs I tested (though I didn’t test the ‘Advance’ HT locks), so I’m very curious as to how they’re going to do the update. Regardless, good on them for making the effort; now to see how it pans out.
  
  As I detailed in the presentation, there are two sides to this: raw memory access, and broken crypto. Fixing the raw memory access is /fairly/ easy (requires flashing (if possible) or replacing locks, and an update to the portable programmer (swap the EPROM or whole unit)), but fixing the broken crypto requires a *lot* more work. I have this suspicion that only the former will happen, not the latter.